The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Thursday, July 26, 2012

Skype makes chats and user data more available to police

The Washington Post has entered the discussion on Skype and cooperation with law enforcement with an interesting and more through canvass of the debate and the facts. It includes information obtained from unnamed insiders who the Post says are familiar with the situation.

But it does seem to affirm that Microsoft, consistent with its past track record of cooperation with law enforcement, can and does make customer information and chat records available to law enforcement. (Customer information would require a subpoena, which chat records would require a court order. What their thresholds are for non-US legal process or whether they will abide by non-American court orders is unclear.)

With respect to the actual contents of Skype audio or video calls, the article notes:

Surveillance of the audio and video feeds remains impractical — even when courts issue warrants, say industry officials with direct knowledge of the matter.

That could change if the FBI gets its wish to have VoIP services added to the Communications Assistance to Law Enforcement Act. Currently, such services are not required to be wiretap-ready.

Skype, the online phone service long favored by political dissidents, criminals and others eager to communicate beyond the reach of governments, has expanded its cooperation with law enforcement authorities to make online chats and other user information available to police, said industry and government officials familiar with the changes.

Surveillance of the audio and video feeds remains impractical — even when courts issue warrants, say industry officials with direct knowledge of the matter. But that barrier could eventually vanish as Skype becomes one of the world’s most popular forms of telecommunication.

The changes to online chats, which are written messages conveyed almost instantaneously between users, result in part from technical upgrades to Skype that were instituted to address outages and other stability issues since Microsoft bought the company last year. Officials of the United States and other countries have long pushed to expand their access to newer forms of communications to resolve an issue that the FBI calls the “going dark” problem.

Microsoft has approached the issue with “tremendous sensitivity and a canny awareness of what the issues would be,” said an industry official familiar with Microsoft’s plans, who like several people interviewed for this story spoke on the condition of anonymity because they weren’t authorized to discuss the issue publicly. The company has “a long track record of working successfully with law enforcement here and internationally,” he added.

The changes, which give the authorities access to addresses and credit card numbers, have drawn quiet applause in law enforcement circles but hostility from many activists and analysts.

Authorities had for years complained that Skype’s encryption and other features made tracking drug lords, pedophiles and terrorists more difficult. Jihadis recommended the service on online forums. Police listening to traditional wiretaps occasionally would hear wary suspects say to one another, “Hey, let’s talk on Skype.”

Hacker groups and privacy experts have been speculating for months that Skype had changed its architecture to make it easier for governments to monitor, and many blamed Microsoft, which has an elaborate operation for complying with legal government requests in countries around the world.

“The issue is, to what extent are our communications being purpose-built to make surveillance easy?” said Lauren Weinstein, co-founder of People for Internet Responsibility, a digital privacy group. “When you make it easy to do, law enforcement is going to want to use it more and more. If you build it, they will come.’’

Skype was slow to clarify the situation, issuing a statement recently that said, “As was true before the Microsoft acquisition, Skype cooperates with law enforcement agencies as is legally required and technically feasible.”

But changes allowing police surveillance of online chats had been made since late last year, a knowledgeable industry official said Wednesday.

In the United States, such requests require a court order, though in other nations rules vary. Skype has more than 600 million users, with some in nearly every nation in the world. Political dissidents relied on it extensively during the Arab Spring to communicate with journalists, human rights workers and each other, in part because of its reputation for security.

Skype’s resistance to government monitoring, part of the company ethos when European engineers founded it in 2003, resulted from both uncommonly strong encryption and a key technical feature: Skype calls connected computers directly rather than routing data through central servers, as many other Internet-based communication systems do. That makes it more difficult for law enforcement to intercept the call. The authorities long have been able to wiretap Skype calls to traditional phones.

The company created a law-enforcement compliance team not long after eBay bought the company in 2005, putting it squarely under the auspices of U.S. law. The company was later sold to private investors before Microsoft bought it in May 2011 for $8.5 billion.

The new ownership had at least an indirect role in the security changes. Skype has endured periodic outages, including a disastrous one in December 2010. Company officials concluded that a more robust system was needed if the company was going to reach its potential.

Industry officials said the resulting push for the creation of so-called “supernodes,” which routed some data through centralized servers, made greater cooperation with law enforcement authorities possible.

The access to personal information and online chats, which are kept in Skype’s systems for 30 days, remains short of what some law enforcement officials have requested.

The FBI, whose officials have complained to Congress about the “going dark” problem, issued a statement Wednesday night saying it couldn’t comment on a particular company or service but that surveillance of conversations “requires review and approval by a court. It is used only in national security matters and to combat the most serious crimes.”

Hackers in recent years have demonstrated that it was possible to penetrate Skype, but it’s not clear how often this happened. Microsoft won a patent in June 2011 for “legal intercept” of Skype and similar Internet-based voice and video systems. It is also possible, experts say, to monitor Skype chats as well as voice and video by hacking into a user’s computer, doing an end run around encryptions.

“If someone wants to compromise a Skype communication, all they have to do is hack the endpoint — the person’s computer or tablet or mobile phone, which is very easy to do,” said Tom Kellermann, vice president of cybersecurity for Trend Micro, a cloud security company.

Some industry officials, however, say Skype loses some competitive edge in the increasingly crowded world of Internet-based communications systems if users no longer see it as more private than rival services.

“This is just making Skype like every other communication service, no better, no worse,” said one industry official, speaking on the condition of anonymity. “Skype used to be very special because it really was locked up. Now it’s like Superman without his powers.”

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.